Cyber Criminals Prove Elusive

Law enforcement efforts to snare virus writers are improving, but the
most destructive ones have evaded capture.

It was a great year for catching cyber criminals, but the culprits behind
some of the most damaging software viruses of 2004 are proving adept at
eluding authorities, security experts say.

Tracking virus writers -- and more importantly, gathering evidence against
them -- is a thorny problem for law enforcement agencies worldwide. While
the number of arrests made and sentences handed down make 2004
the best year yet for catching cyber criminals, it won't have a noticeable
effect on eliminating virus writers, according to Finnish security firm
F-Secure.

"The arrests, nearly all of them relating to virus writing, have been the
hobbyists, teenagers -- the easy ones," said Mikko Hypponen, F-Secure
director of anti-virus research. "What we'd be much more interested in
getting arrested would be the professionals and the virus writers who do it
for money."

The company pointed to three primary security-related trends in 2004: a
massive increase in phishing attacks; the introduction of open-source
botnets and for-profit virus writing.

Consider the six major viruses -- Bagle, MyDoom, Netsky, Sasser, Korgo and
Sober -- of 2004: three were designed for specific crimes, F-Secure said.

The intent of MyDoom and Bagle and the legions of variants it spawned was to
create zombied spam proxies, despite the very real-world
effect of causing millions in damages and the distributed denial-of
-service (DDoS) attacks on Microsoft.com and SCO.com.

It
gave spammers a launching pad to dramatically increase the amount of junk
e-mails around the world. According to F-Secure numbers, at one point
MyDoom.A was responsible for 10 percent of all e-mail traffic.

Because both viruses used the Mitglieder proxy Trojan
officials at the security company suspect the two viruses might
have been written by one group of writers. Bagle.A downloaded the Trojan from a Web site, and it
was installed through a backdoor in MyDoom.A-infected
machines.

The two viruses also prompted something of a turf
battle among virus writers. Netsky, which delivers its own
PC-compromising payload, also deleted the registry entries used to launch
the Bagle proxy.

The Korgo virus, on the other hand, was designed to grab credit card and
banking information, according to F-Secure. Similar to the Sasser
worm, the virus targeted Windows 2000 and XP machines, scanning
random IP addresses for PCs with a vulnerable, unpatched Local Security
Authority Subsystem Service (LSASS).

While the amount of spam is becoming an ever-increasing problem for
individuals and corporations -- the numbers range anywhere from
66 percent to 82 percent of total e-mail volume, depending on the season --
the viruses that launch spam proxies are being created because it makes
money.

Marty Lindner, CERT Coordination Center team leader for incident handling,
said the increase in spam and phishing attacks -- human exploitation, not
software exploitation -- is one of the biggest trends in 2004.

"Why do the bad guys have to work so hard writing fancy code to exploit a
buffer overflow or something when I can offer you a Rolex watch and I've
got you?"

Catching virus writers has been a tough job for law enforcement agencies
around the world. Despite some high-profile arrests, the relative number is
small. In August, the Department of Justice reported with success with Operation
Slam Spam.

"If there's an increase [in arrests and indictments], it's very, very
slight," said Paul Bresson, a spokesperson for the FBI, about his agency's efforts to combat virus writers. "We
tend to devote our resources depending on the volume and scope of what's out
there, and if there's a lot out there, we devote more resources."

The international nature of the Internet means many criminals can leave a
long, convoluted trail that crosses national boundaries with ease, even if
its law enforcement agencies can't. Despite actions by the Federal Trade
Commission to promote
cross-border communications and aid, there are still blind spots where
virus writers can flourish.

Hypponen said whenever he speaks with his law enforcement contacts about
tracking spammers or virus writers and it leads to places like Romania or
Belarussia or Lithuania, "you hear this sigh from the investigators,"
because they know it became that much harder to gain local cooperation, he
said.

"The bad guys know how to re-route their spam and their viruses and their
hacking through six, seven, eight different countries and go through
places like China and South Korea and some obscure island in the South
Pacific just to make it hard for the authorities to track them," Hypponen said.

As an example, he points to a recent case where a Russian factory was hit
with a virus by a hacker group operating out of Kuwait. The virus, gaining
access to the machines, started downloading more code from a Web site
registered in a small island off the coast of Africa. The actual Web
server, however, wasn't there; it was registered through Sweden to Jordan.
From Jordan, the infected machines in Russia downloaded code that connected
them with an IRC chat system operated in chat. cnn.com -- CNN's chat server
in the U.S.

Hypponen said it was a relatively easy matter for his company to call CNN
and the ISPs in charge of the Web server to blunt the effects of the
outbreak, but it's something police would have had a tougher time
accomplishing.

"If the Russian factory would have called the cops," he said, "how likely would it have
been for the Russian police to first of all successfully track the virus
around the globe and how likely is it that they would have been able to
prosecute the Kuwaiti offenders?"